Latest evasion techniques in fileless malware

BSidesLV 2016

Presented by: fl3uryz
Date: Wednesday August 03, 2016
Time: 14:30 - 15:00
Location: Florentine E
Track: Proving Ground

This talk will dive into latest file-less malware, how such types of malware can hide via new evasion techniques, their application in latest attacks then discuss what other possible ways file-less malware of the future could hide to evade detection.

In the past, malware developers have implemented different techniques to circumvent detection of their malicious code. For instance, memory resident malware load their code into the memory of legitimate processes, even operating system files, while rootkit malware cloak themselves in the kernel.

Unlike their predecessors, the main difference in the new types of file-less malware are that they no longer drop small compiled binaries on the compromised system during their malicious activities. They instead proceed with their attack directly from the windows registry in a real, file-less manner by self-destroying any temporary traces of themselves on the file system prior to executing the malicious code. These techniques have made such types of malware better at evading detection. To understand these new techniques further, different file-less malware examples such as Kovyer, Poweliks, XseKit, kovter, corBOT etc., will be examined.

In the modern computing world, achieving average persistency without much effort from a malware perspective has gotten easier as devices remain online for longer periods, likely to go to sleep more often with fewer reboots in between making it possible to keep malicious code running for days. In such context, the fact that file-less malware might need to trade off persistence for stealth is not so much an issue anymore and makes these types of malware most ideal for attacks where implementation of a long-term persistency is not really required for its success. For instance, in ransomware attacks family, file-less malware need to only remain alive long enough to encrypt and remove original files then ask for a ransom. In contrast, attacks where malware would need to remain undetected for months or even years -as in information gathering purpose for example -relying solely on file-less malware evading techniques might not be as effective.

fl3uryz


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats